Jump to content
NetworkGuy

Are the tiers a maturity model?

Recommended Posts

I have heard from many observers of the Cybersecurity framework.  Yes, it is a maturity model.  Our next step is to call it one.  To assist with the decision, we should prescribe some type of metrics to simply explain the concept.  QUACK -QUACK!

Share this post


Link to post
Share on other sites

I agree. The Tiers are indicators that describe the maturity of an organization; however I also agree that more specific metrics are required to create a maturity model.  Because the Framework does not provide specific - measurable - activities that can be used to determine where an organization falls into a maturity model, I don't see the Tiers as a maturity model.  I do agree they can be seen as a precursor to defining a maturity model, but I'm not sure if a maturity model can be created that is appropriate for all 16 CI sectors.  It may be more likely that specific sectors would create a maturity model that is implemented within their sector.  We are already seeing indications of this with programs like the ES C2M2 (Energy Sectors - Cybersecurity Capability Maturity Model).

Share this post


Link to post
Share on other sites

A maturity model in this context is to monitor and track the implementation or deployment of the Executive Order and Presidential Policy Directive 21 Guidance.  At a very high-level you can map the 16 sectors.  One they are mapped the Owner/Operators of a given sector should determine the "Metrics" of the sector's maturity and the steps need to get to the highest level.  The common denominator for the sectors is the NIPP. 

Share this post


Link to post
Share on other sites

Tiers provide some indication of maturity, but calling something a  "maturity model" (while somewhat a matter of semantic difference, true) implies, to me, something more robust and complete than what exists in the framework as written.  

 

What the tiers functionally provide, in my mind, are stubs hinting at how a maturity model might be developed on top of the framework (or stubs with which to link the framework into existing maturity practices).  By themselves, though, the tiers are pretty sparse.   If there had been a full blown maturity model attached to or built into the framework, I don't think we would be seeing the kind of disagreement we're seeing on what implementation or adoption mean (or even which term to use).

 

As a related aside, I believe that at some point the idea was to use the Framework to support the Performance Objectives developed outside of the NIST/Framework Process (Performance as in "mission/business goals for security programs using the framework to achieve", not metrics performance) - and this would have led down a more robust maturity model path if it had happened.  But, lacking that driving context, the framework seems to have stopped at "framework" and will rely on us to extend it further.

Share this post


Link to post
Share on other sites

Tom, I disagree with your comment that a maturity model can't be created that's appropriate for all 16 CI sectors - and the ES-C2M2 is actually (and ironically, given that it is a sector document) a good example of why.  One of the things that the ES-C2M2 *doesnt* include is a model for justifications and goals (or it didn't when I last looked at it).  These sector (or even individual business priorities) should provide the context required to determine what the appropriate maturity level for a given domain is - and they help constrain the implementation of the activities or practices in the domain - but they do not define either the domains or the supporting maturity levels.  In other words, there are many fundamental cybersecurity truths that a reasonably good security model can/should describe independently of the prioritization and shaping of those truths to achieve a specific set of (sector or business specific) performance goals.  It's that shaping to meet goals that should be specific to a sector, not the underlying maturity model itself. 

 

Just IMO.

 

I agree. The Tiers are indicators that describe the maturity of an organization; however I also agree that more specific metrics are required to create a maturity model.  Because the Framework does not provide specific - measurable - activities that can be used to determine where an organization falls into a maturity model, I don't see the Tiers as a maturity model.  I do agree they can be seen as a precursor to defining a maturity model, but I'm not sure if a maturity model can be created that is appropriate for all 16 CI sectors.  It may be more likely that specific sectors would create a maturity model that is implemented within their sector.  We are already seeing indications of this with programs like the ES C2M2 (Energy Sectors - Cybersecurity Capability Maturity Model).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×